Private-IP Bypass Vulnerability in Ghost CMS by Ghost
CVE-2026-53945

4MEDIUM

Key Information:

Vendor: Tryghost
Status: Ghost
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-53945?

Ghost is a popular Node.js-based content management system. A vulnerability exists in the private-IP check for outbound HTTP requests within versions 6.0.9 to 6.21.1. This flaw can be exploited through DNS rebinding, which may allow attackers to manipulate the Ghost server to send requests to internal network hosts. Such exposure can result in unauthorized access to sensitive internal resources, making it crucial for users to upgrade to version 6.21.1 or later to mitigate this risk.

Affected Version(s)

Ghost >= 6.0.9, < 6.21.1

References

https://github.com/TryGhost/Ghost/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
Jun 11, 2026

CVE-2026-53945 Data

JSON

Tryghost

What is CVE-2026-53945?

Affected Version(s)

References

CVSS V3.1

Timeline